I get a daily security e-mail from my web server alerting me to failed login attempts and other security issues and in the past few weeks (months?) I’ve been getting tens if not hundreds of failed attempts to login to my server. At first I thought I could resolve the issue by blocking the IP addresses in /etc/hosts.allow for the SSH server, but the attempts continued unabated.
I looked online for solutions and found a few sites mentioning the problem, but none of them had solutions I liked.
My solution was to first turn off root logins by setting the
PermitRootLogins no
in /etc/ssh/sshd_config. I should have done that a long time ago, but I hadn’t thought of it until now. My second step was to only allow logins from one group. It’s not ultra-secure and I’m sure there are better ways, but that limits the number of users I have to keep track of who have access to my machine, and for now that’s good enough for me.
I found several other links related to this issue which I’ve included here for your perusal.
Unix Girl
Unix Girl 2
Seclists.org
Linode.com
Drinsama.de
Verbum.org
Sans.org
Heal your church
I was having the same problem not too long ago. I had already locked down the SSH Daemon so it was really just more of an annoyance to see it in my logs. When this first started happening I asked a few people on IRC and we came to the conclusion that it was a highly unsophisticated botnet. I moved the SSH Daemon to another port and haven’t seen anything since. Theoretically, somebody could just do a quick portscan and start attacking again but I don’t think this particular botnet is that smart.
If you’re looking for up-to-the-minute info on these botnets that have been surfacing, check out http://isc.sans.org/
They seem to be reporting on this at least once a week.
Heh, I already had a link to sans.org (it’s the 2nd to last one in the list at the bottom).
Here’s a solution to the problem, FWIW